Weak cipher algorithm

Encryption algorithm associated with the cipher context is weak

Description

This defect occurs when you associate a weak encryption algorithm with the cipher context.

Risk

Some encryption algorithms have known flaws. Though the OpenSSL library still supports the algorithms, you must avoid using them.

If your cipher algorithm is weak, an attacker can decrypt your data by exploiting a known flaw or brute force attacks.

Fix

Use algorithms that are well-studied and widely acknowledged as secure.

For instance, the Advanced Encryption Standard (AES) is a widely accepted cipher algorithm.

Examples

expand all

Use of DES Algorithm


#include <openssl/evp.h>
#include <stdlib.h>

void func(unsigned char *key, unsigned char *iv) {
    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
    EVP_CIPHER_CTX_init(ctx);
    const EVP_CIPHER * ciph = EVP_des_cbc();        
    EVP_EncryptInit_ex(ctx, ciph, NULL, key, iv);   
}

In this example, the routine EVP_des_cbc() invokes the Data Encryption Standard (DES) algorithm, which is now considered as non-secure and relatively slow.

Correction — Use AES Algorithm

One possible correction is to use the faster and more secure Advanced Encryption Standard (AES) algorithm instead.


#include <openssl/evp.h>
#include <stdlib.h>

void func(unsigned char *key, unsigned char *iv) {
    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
    EVP_CIPHER_CTX_init(ctx);
    const EVP_CIPHER * ciph = EVP_aes_128_cbc();        
    EVP_EncryptInit_ex(ctx, ciph, NULL, key, iv);   
}

Result Information

Group: Cryptography

Language: C | C++

Default: Off

Command-Line Syntax: CRYPTO_CIPHER_WEAK_CIPHER

Impact: Medium

Version History

Introduced in R2017a